[PATCH] rpm-5.4.14: disable external key server

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH] rpm-5.4.14: disable external key server
@ 2015-06-26  6:57 rongqing.li
  2015-06-26 14:00 ` Mark Hatle
  0 siblings, 1 reply; 2+ messages in thread
From: rongqing.li @ 2015-06-26  6:57 UTC (permalink / raw)
  To: openembedded-core

From: yzhu1 <yanjun.zhu@windriver.com>

When rpm makes header verification, rpm will send request to the
extern server, this is a potential risk.

Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
---
 .../rpm-macros.in-disable-external-key-server.patch | 21 +++++++++++++++++++++
 meta/recipes-devtools/rpm/rpm_5.4.14.bb             |  1 +
 2 files changed, 22 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch

diff --git a/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch b/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
new file mode 100644
index 0000000..206f258
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
@@ -0,0 +1,21 @@
+disable external key server
+
+Upstream-Status: Pending
+
+When rpm makes header verification, rpm will send request to the
+extern server, this is a potential risk.
+
+Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
+--- a/macros/macros.in
++++ b/macros/macros.in
+@@ -546,8 +546,8 @@ $_arbitrary_tags_tests	Foo:Bar
+ # Horowitz Key Protocol server configuration
+ #
+ #%_hkp_keyserver         hkp://keys.n3npq.net
+-%_hkp_keyserver         hkp://pool.sks-keyservers.net
+-%_hkp_keyserver_query   %{_hkp_keyserver}/pks/lookup?op=get&search=
++#%_hkp_keyserver         hkp://pool.sks-keyservers.net
++#%_hkp_keyserver_query   %{_hkp_keyserver}/pks/lookup?op=get&search=
+ 
+ 
+ %_nssdb_path	/etc/pki/nssdb
diff --git a/meta/recipes-devtools/rpm/rpm_5.4.14.bb b/meta/recipes-devtools/rpm/rpm_5.4.14.bb
index 75b1ae2..666a68e 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4.14.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4.14.bb
@@ -92,6 +92,7 @@ SRC_URI = "http://www.rpm5.org/files/rpm/rpm-5.4/rpm-5.4.14-0.20131024.src.rpm;e
 	   file://rpm-realpath.patch \
 	   file://0001-using-poptParseArgvString-to-parse-the-_gpg_check_pa.patch \
 	   file://no-ldflags-in-pkgconfig.patch \
+	   file://rpm-macros.in-disable-external-key-server.patch \
 	  "
 
 # Uncomment the following line to enable platform score debugging
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] rpm-5.4.14: disable external key server
  2015-06-26  6:57 [PATCH] rpm-5.4.14: disable external key server rongqing.li
@ 2015-06-26 14:00 ` Mark Hatle
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Hatle @ 2015-06-26 14:00 UTC (permalink / raw)
  To: openembedded-core

On 6/26/15 1:57 AM, rongqing.li@windriver.com wrote:
> From: yzhu1 <yanjun.zhu@windriver.com>
> 
> When rpm makes header verification, rpm will send request to the
> extern server, this is a potential risk.

Just to explain what this is.  When RPM experiences a signed package, with a
signature that it does NOT know.  By default it will send the -fingerprint- (and
only the 16 digit fingerprint) to an external HKP server, trying to get the key
down.

This is probably not a reasonable default behavior for the system to do, instead
it should simply fail the key lookup.  If someone wants to enable the HKP server
it's easy enough to do by enabling the necessary macros.

> Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
> ---
>  .../rpm-macros.in-disable-external-key-server.patch | 21 +++++++++++++++++++++
>  meta/recipes-devtools/rpm/rpm_5.4.14.bb             |  1 +
>  2 files changed, 22 insertions(+)
>  create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
> 
> diff --git a/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch b/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
> new file mode 100644
> index 0000000..206f258
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
> @@ -0,0 +1,21 @@
> +disable external key server
> +
> +Upstream-Status: Pending
> +
> +When rpm makes header verification, rpm will send request to the
> +extern server, this is a potential risk.
> +
> +Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
> +--- a/macros/macros.in
> ++++ b/macros/macros.in
> +@@ -546,8 +546,8 @@ $_arbitrary_tags_tests	Foo:Bar
> + # Horowitz Key Protocol server configuration
> + #
> + #%_hkp_keyserver         hkp://keys.n3npq.net
> +-%_hkp_keyserver         hkp://pool.sks-keyservers.net
> +-%_hkp_keyserver_query   %{_hkp_keyserver}/pks/lookup?op=get&search=
> ++#%_hkp_keyserver         hkp://pool.sks-keyservers.net
> ++#%_hkp_keyserver_query   %{_hkp_keyserver}/pks/lookup?op=get&search=
> + 
> + 
> + %_nssdb_path	/etc/pki/nssdb
> diff --git a/meta/recipes-devtools/rpm/rpm_5.4.14.bb b/meta/recipes-devtools/rpm/rpm_5.4.14.bb
> index 75b1ae2..666a68e 100644
> --- a/meta/recipes-devtools/rpm/rpm_5.4.14.bb
> +++ b/meta/recipes-devtools/rpm/rpm_5.4.14.bb
> @@ -92,6 +92,7 @@ SRC_URI = "http://www.rpm5.org/files/rpm/rpm-5.4/rpm-5.4.14-0.20131024.src.rpm;e
>  	   file://rpm-realpath.patch \
>  	   file://0001-using-poptParseArgvString-to-parse-the-_gpg_check_pa.patch \
>  	   file://no-ldflags-in-pkgconfig.patch \
> +	   file://rpm-macros.in-disable-external-key-server.patch \
>  	  "
>  
>  # Uncomment the following line to enable platform score debugging
> 



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-06-26 14:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-26  6:57 [PATCH] rpm-5.4.14: disable external key server rongqing.li
2015-06-26 14:00 ` Mark Hatle

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox